R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

Remote offsite and Onsite FFIEC IT Audits

August 8, 2021

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.
FYI - NSA shares guidance on how to secure your wireless devices - The US National Security Agency (NSA) today published guidance on how to properly secure wireless devices against potential attacks targeting them when traveling or working remotely. https://www.bleepingcomputer.com/news/security/nsa-shares-guidance-on-how-to-secure-your-wireless-devices/

A couple simple steps companies can take to protect their systems from ransomware - Installing the patches software developers release is one way users can help protect themselves from ransomware. https://www.scmagazine.com/video/patch-management/a-couple-simple-steps-companies-can-take-to-protect-their-systems-from-ransomware

Breach ruling shows importance of legal advice early after cyber incident - Companies that think they may have suffered a data security incident should involve their legal advisers as early as possible in the response and investigation process to avoid suffering the same fate as Rutter’s convenience stores, which was ordered to turn over a data breach report to opposing lawyers. https://www.scmagazine.com/analysis/breach/breach-ruling-shows-importance-of-legal-advice-early-after-cyber-incident?

Most pharma companies actively expose data via databases, remote access points - The vast majority of global pharmaceutical companies are inadvertently exposing information through a number of vulnerabilities, including remote access platforms, unsecured databases, and even the network perimeter, highlighting the risks posed by the accelerated digitization of the pharma sector, according to a recent report. https://www.scmagazine.com/analysis/network-security/most-pharma-companies-actively-expose-data-via-databases-remote-access-points

What Can Be Done to Enhance Electrical Grid Security? - The lack of adequate security features in critical electrical grid equipment - including high-power transformers - that's made in other nations poses a serious U.S. cybersecurity threat, according to federal officials who testified at a Congressional hearing this week. https://www.govinfosecurity.com/what-be-done-to-enhance-electrical-grid-security-a-17173

US Government Unlikely to Ban Ransomware Payments - The US government is unlikely to make it illegal for organizations to pay ransoms to regain access to data following a ransomware incident or to keep cybercriminals from releasing sensitive data following a breach. https://www.darkreading.com/risk/us-government-unlikely-to-ban-ransomware-payments

Now’s the time to rethink workforce security - Looking back to the first Verizon Data Breach Investigations Report some 13 years ago, the leading causes of data breaches were phishing and malware. https://www.scmagazine.com/perspective/security-awareness/nows-the-time-to-rethink-workforce-security

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - Hackers used never-before-seen wiper in recent attack on Iranian train system - Researchers with cybersecurity company SentinelOne reconstructed the recent cyberattack on Iran's train system in a new report, uncovering a new threat actor -- which they named 'MeteorExpresss' -- and a never-before-seen wiper. https://www.zdnet.com/article/hackers-used-never-before-seen-wiper-in-recent-attack-on-iranian-train-system-report/

UC San Diego Health Breach Tied to Phishing Attack - Employee email takeover exposed personal, medical data of students, employees and patients. https://threatpost.com/uc-san-diego-health-breach/168250/

South Africa Port Operator Declares Force Majeure Over Cyber Attack - Transnet SOC Ltd., South Africa’s state-owned ports and freight-rail company, declared force majeure at the country’s key container terminals due to disruptions caused by a July 22 cyberattack. https://www.bloomberg.com/news/articles/2021-07-27/s-africa-port-operator-declares-force-majeure-over-cyber-attack-krln4ku6

Nearly 450K patients impacted by Orlando Family Physicians phishing attack - The latest data breaches reported by the health care sector are primarily led by email-related incidents and ransomware, and two of which are among the largest reported this year. https://www.scmagazine.com/analysis/breach/nearly-450k-patients-impacted-by-orlando-family-physicians-phishing-attack

SolarWinds attackers breached email of US prosecutors, says Department of Justice - Hackers - probably backed by Russia - had access to emails for over six months. The US Justice Department (DoJ) has revealed the extent to which hackers had access to officials' emails due to the SolarWinds breach it disclosed in January.  https://www.zdnet.com/article/solarwinds-attackers-breached-email-of-us-prosecutors-says-department-of-justice/

Phantom Warships Are Courting Chaos in Conflict Zones - The latest weapons in the global information war are fake vessels behaving badly. Last year, the largest ship in the UK's Royal Navy, the aircraft carrier HMS Queen Elizabeth, steamed majestically towards the Irish Sea. https://www.wired.com/story/fake-warships-ais-signals-russia-crimea/

Cyberattack shuts down Italian region’s COVID-19 vaccine scheduling app - Cybercriminals have shut down the IT systems of the management vendor that hosts the COVID-19 vaccine scheduling app of the Lazio region of Italy, just outside of Rome. https://www.scmagazine.com/analysis/application-security/cyberattack-shuts-down-italian-regions-covid-19-vaccine-scheduling-app

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
   Security Controls 
   
   While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking. This should include establishing appropriate authorization privileges and authentication measures, logical and physical access controls, adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities and data integrity of transactions, records and information. In addition, the existence of clear audit trails for all e-banking transactions should be ensured and measures to preserve confidentiality of key e-banking information should be appropriate with the sensitivity of such information. 
   
   Although customer protection and privacy regulations vary from jurisdiction to jurisdiction, banks generally have a clear responsibility to provide their customers with a level of comfort.  Regarding information disclosures, protection of customer data and business availability that approaches the level they can expect when using traditional banking distribution channels. To minimize legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should make adequate disclosure of information on their web sites and take appropriate measures to ensure adherence to customer privacy requirements applicable in the jurisdictions to which the bank is providing e-banking services.
Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   
   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
   
   Access Rights Administration (5 of 5)
   
   The access rights process also constrains user activities through an acceptable - use policy (AUP). Users who can access internal systems typically are required to agree to an AUP before using a system. An AUP details the permitted system uses and user activities and the consequences of noncompliance. AUPs can be created for all categories of system users, from internal programmers to customers. An AUP is a key control for user awareness and administrative policing of system activities. Examples of AUP elements for internal network and stand - alone users include:
   
   ! The specific access devices that can be used to access the network;
   
   ! Hardware and software changes the user can make to their access device;
   
   ! The purpose and scope of network activity;
   
   ! Network services that can be used, and those that cannot be used;
   
   ! Information that is allowable and not allowable for transmission using each allowable service;
   
   ! Bans on attempting to break into accounts, crack passwords, or disrupt service;
   
   ! Responsibilities for secure operation; and
   
   ! Consequences of noncompliance.
   
   Depending on the risk associated with the access, authorized internal users should generally receive a copy of the policy and appropriate training, and signify their understanding and agreement with the policy before management grants access to the system.
   
   Customers may be provided with a Web site disclosure as their AUP. Based on the nature of the Web site, the financial institution may require customers to demonstrate knowledge of and agreement to abide by the terms of the AUP. That evidence can be paper based or electronic.
   
   Authorized users may seek to extend their activities beyond what is allowed in the AUP, and unauthorized users may seek to gain access to the system and move within the system. Network security controls provide the protection necessary to guard against those threats.

 Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION
  
  For most systems, identification and authentication (I&A) is the first line of defense. I&A is a technical measure that prevents unauthorized people (or unauthorized processes) from entering a computer system.
  
  I&A is a critical building block of computer security since it is the basis for most types of access control and for establishing user accountability. Access control often requires that the system be able to identify and differentiate among users. For example, access control is often based on least privilege, which refers to the granting to users of only those accesses required to perform their duties. User accountability requires the linking of activities on a computer system to specific individuals and, therefore, requires the system to identify users.
  
  Identification is the means by which a user provides a claimed identity to the system. Authentication108 is the means of establishing the validity of this claim.
  
  This chapter discusses the basic means of identification and authentication, the current technology used to provide I&A, and some important implementation issues.
  
  Computer systems recognize people based on the authentication data the systems receive. Authentication presents several challenges: collecting authentication data, transmitting the data securely, and knowing whether the person who was originally authenticated is still the person using the computer system. For example, a user may walk away from a terminal while still logged on, and another person may start using it.
  
  There are three means of authenticating a user's identity, which can be used alone or in combination:
  
  1) something the individual knows (a secret -- e.g., a password, Personal Identification Number (PIN), or cryptographic key);
  
  2) something the individual possesses (a token -- e.g., an ATM card or a smart card); and
  
  3) something the individual is (a biometric -- e.g., such characteristics as a voice pattern, handwriting dynamics, or a fingerprint).
  
  A typical user identification could be JSMITH (for Jane Smith). This information can be known by system administrators and other system users. A typical user authentication could be Jane Smith's password, which is kept secret. This way system administrators can set up Jane's access and see her activity on the audit trail, and system users can send her e-mail, but no one can pretend to be Jane.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.